#VU23653 Information disclosure in TIBCO Spotfire Server and TIBCO Spotfire for AWS - CVE-2019-17336
Published: December 18, 2019
Vulnerability identifier: #VU23653
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-17336
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TIBCO Spotfire Server
TIBCO Spotfire for AWS
TIBCO Spotfire Server
TIBCO Spotfire for AWS
Software vendor:
TIBCO
TIBCO
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the Data access layer component exposes credentials for shared data sources. A remote authenticated attacker can gain access to information that can lead to obtaining credentials used to access Spotfire data sources.
To successful exploitation of this vulnerability the attacker would need privileges to save a Spotfire file to the library, and only applies in a situation where NTLM credentials, or a credentials profile is in use.
Remediation
Install updates from vendor's website.